The Sender Policy Framework (SPF) is today used by many mail servers or
SPAM filters to determine if an email sent as originating from
email@example.com really originates from
example.net or if it was highjacked by a spammer. An SPF-enabled
receiving mail server checks both, the fully qualified domain name (FQDN) as
specified in the HELO or EHLO announce message sent by the mail client, and the
domain of the envelop email address (MAIL FROM) against the SPF record(s)
stored in DNS for that domain.
As an example, I own two domains,
michaelonroad.de. I run a SMTP server on the domain
mail.ntecs.de. As such, I need two SPF DNS records for domain
# DNS zone for domain ntecs.de @ IN TXT "v=spf1 mx -all" mail IN TXT "v=spf1 a -all"
The first line tells the SPF enabled mail server that all email in the form of
firstname.lastname@example.org MUST exclusively be sent by one of the servers
listed as a Mail Exchange (MX) record of the same domain. The MX record
resolves to an IP address which is then checked against the IP address of the
connection. The second line is used to check against the EHLO (or HELO)
announcement. For example my SMTP server announces itself with a
mail.ntecs.de. Only the IP address of the
server is accepted here in this case (or more specifically the IP address it’s
A record resolves to).
For my second domain
michaelonroad.de I would only need one SPF record:
# DNS zone for domain michaelonroad.de @ IN TXT "v=spf1 mx -all"
This is because I use
mail.ntecs.de even for sending mail from
email@example.com. Also note that in my case I only run
one server for both incoming and outgoing mail (for all domains).